Which versions of httppack are malicious?

The following PyPI versions of httppack are flagged malicious: 0.1, 0.2. Treat any of these as compromised.

How do I remediate httppack if I installed it?

Remove httppack from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.

I already installed httppack — how do I know if it already compromised me?

If httppack was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is httppack part of a known attack campaign?

Yes — httppack is associated with the RLMA-2025-03615, GENERIC-simple-tests, RLUA-2026-00398 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find httppack across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for httppack (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging httppack across your stack and pipelines.

Malicious package

httppackPyPI

Malicious code in httppack (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2025-6522

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall httppack

What this malware does

Packages that might be part of testing for pentesting / malicious activity / joy, with suspicious activity that does not present any real harm.

Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.

Campaign: GENERIC-simple-tests

Reasons (based on the campaign):

The package overrides the install command in setup.py to execute malicious code during installation.

Malicious versions

2 flagged

0.10.2

Indicators of compromise (SHA-256)

5db6abc2dd73c368c8d62385f13796a00cefea8bfb5402ead9f78cf28fd921bf

9e56447724a029ce757b7928d9d901b53bc34d2dba8bad3ef794ac77844afaf6

d66d0c3948eb48c93a56872d2a149edfcc65ae57178e7d7a51405ef755880939

17afbbd40f2c75f9b0778ba9e27f3372b83c743c36f0ef4f9965f26a2c4b0086

437fed99869ae64fd84ced0bfd32d14e1f475c3366273a368f5bb8aa89325bc7

Detection & response playbook

Malicious package

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for httppack (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging httppack across your stack and pipelines.
If you installed it — respond
Remove httppack from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.
Did it already run?
If httppack was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks httppack before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. httppack on PyPI has been identified as a malicious package (versions 0.1, 0.2 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2025-03615GENERIC-simple-testsRLUA-2026-00398

References

bad-packages.kam193.eu

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks httppack-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring